b'                     Review of RRB\xe2\x80\x99s Controls Over the Access,\n                     Disclosure and Use of SSNs by Third Parties\n                          Report No. 02-11, August 26, 2002\n\n\nINTRODUCTION\n\nThis report presents the results of the Office of Inspector General\xe2\x80\x99s (OIG) review of the\nRailroad Retirement Board\xe2\x80\x99s (RRB) controls over the access, disclosure and use of\nSocial Security Numbers (SSNs) by third parties.\n\nBACKGROUND\n\nThe RRB is an independent agency in the executive branch of the Federal government.\nThe RRB\xe2\x80\x99s primary function is to administer comprehensive retirement-survivor and\nunemployment-sickness benefit programs for the nation\xe2\x80\x99s railroad workers and their\nfamilies. These benefits are provided under the Railroad Retirement Act and the\nRailroad Unemployment Insurance Act. During fiscal year 2001, the RRB paid nearly\n$8.4 billion in retirement-survivor benefits to approximately 700,000 beneficiaries.\n\nThe Social Security Administration (SSA) created the SSN in 1936 as a means of\ntracking workers\xe2\x80\x99 earnings and eligibility for Social Security benefits. However, over the\nyears, the SSN has become a \xe2\x80\x9cde facto\xe2\x80\x9d national identifier used by Federal agencies,\nstate and local governments, and private organizations. Government agencies\nfrequently ask individuals for their SSNs to comply with applicable laws and regulations\nor to efficiently track and exchange information. A number of laws and regulations also\nimpose limitations on how agencies may use SSNs.\n\nDue to concerns related to perceived widespread sharing of personal information and\noccurrences of identity theft, the General Accounting Office (GAO) studied how and to\nwhat extent Federal, state and local government agencies use individuals\xe2\x80\x99 SSNs and\nhow these entities safeguard records or documents containing those SSNs. As part of\nthe study, GAO sent questionnaires to 18 Federal programs that were likely to routinely\ncollect, maintain, and use individuals\xe2\x80\x99 SSNs. The RRB was not selected for the GAO\nstudy. Specifically, GAO\xe2\x80\x99s questionnaires asked each Federal program to provide\ninformation about the following:\n\n\xe2\x80\xa2 ways in which the program obtains, maintains, and uses individuals\xe2\x80\x99 SSNs;\n\xe2\x80\xa2\t current practices for providing individuals\xe2\x80\x99 SSNs to other organizations, including\n   fees charged; and\n\xe2\x80\xa2 practices for safeguarding records containing SSNs.\n\nGAO\xe2\x80\x99s study showed that government agencies are taking steps to safeguard SSNs;\nhowever, certain measures that could help protect SSNs are not uniformly in place at\nany level of government. First, when requesting SSNs, government agencies are not\nconsistently providing individuals with information required by Federal law. For\n\n\n\n                                            1\n\n\x0cexample, agencies are not consistently informing the SSN holders of whether they must\nprovide the SSN to receive benefits or services and how the SSN will be used. Second,\nalthough agencies are taking steps to safeguard the SSNs from improper disclosure,\nthe survey identified potential weaknesses in the security of information systems at all\nlevels of government. The reviews also found numerous examples of actions taken to\nlimit the presence of SSNs on documents that are not intended to be public but are\nnonetheless seen by others.\n\nThe expanded use of the SSN as a national identifier provides a tempting motive for\nmany unscrupulous individuals to acquire a SSN and use it for illegal purposes. While\nno one can fully prevent SSN misuse, Federal agencies have some responsibility to\nlimit the risk of unauthorized disclosure of SSN information. To that end, the Chairman\nof the House of Representatives\xe2\x80\x99 Ways and Means Subcommittee on Social Security\nasked SSA/OIG and the President\xe2\x80\x99s Council on Integrity and Efficiency (PCIE) to look\nacross government at the way Federal agencies disseminate and control the SSN.\nSeveral Federal agencies, including the RRB, participated in this joint project and the\nPCIE coordinated the review.\n\nThe Freedom of Information Act, the Privacy Act of 1974, and the Social Security Act\nAmendments of 1990 establish the framework for restricting SSN disclosure.1\nSpecifically, with regard to collecting SSN information, section 7 of the Privacy Act\nprohibits any Federal, state or local government entity from conditioning any benefit on\nSSN disclosure by the individual, unless permitted by Federal law.\n\nWith regard to disclosures of SSNs contained in Federal record systems (i.e., records\nmaintained on individuals), the Privacy Act controls the use and disclosure of such\npersonal information, but does not specifically address SSNs. For each record system\nmaintained by an agency, a Privacy Act notice must be published informing, among\nother things, the routine uses and disclosures of that information, which of course will\ninclude the SSN if relevant.\n\nThe Information Resources Management Center supports the RRB\xe2\x80\x99s Chief Information\nOfficer in fulfilling responsibilities required by the Privacy Act. Administrative Circular\nIRM-2 describes the RRB\xe2\x80\x99s responsibilities under the Privacy Act. The circular also\nprovides the responsibilities for the RRB\xe2\x80\x99s Privacy Act Officer under the Privacy Act.\nThese responsibilities include the following:\n\n\xe2\x80\xa2\t to provide guidance, technical assistance, and general oversight for compliance with\n   the Privacy Act;\n\xe2\x80\xa2\t to serve as the focal point for RRB Privacy Act activities and as the primary liaison\n   with the Office of Management and Budget, and the Office of Federal Register for\n   Privacy Act Matters;\n\xe2\x80\xa2\t to review routine use disclosures, exemptions of systems of records, Privacy Act\n   training, and systems of record notices as required by OMB Circular A-130; and\n1\n Freedom of Information Act (5 United States Code \xc2\xa7 552), Privacy Act of 1974 (5 United States Code \xc2\xa7 552a),\nand the Social Security Act Amendments of 1990 (42 United States Code \xc2\xa7 405(c)(2)(C)(viii).\n\n\n                                                       2\n\n\x0c\xe2\x80\xa2    to coordinate efforts among the bureaus and offices to furnish records to requestors.\n\nOBJECTIVE, SCOPE AND METHODOLOGY\n\nThe objective of this review was to assess the RRB\xe2\x80\x99s controls over the access,\ndisclosure and use of SSN information by third parties. Specifically, we determined\nwhether the RRB:\n\n\xe2\x80\xa2 made legal and informed disclosures of SSNs to third parties;\n\xe2\x80\xa2 had appropriate controls over contractors\xe2\x80\x99 access and use of SSNs;\n\xe2\x80\xa2\t had appropriate controls over other entities\xe2\x80\x99, excluding government entities and\n   contractors, access and use of SSNs; and\n\xe2\x80\xa2 had adequate controls over access to individuals\xe2\x80\x99 SSNs maintained in its databases.\n\nIn accordance with the PCIE guidelines, the review was limited to RRB controls over the\naccess, disclosure and use of RRB beneficiaries\xe2\x80\x99 SSN information by third parties. The\nreview covered calendar year 2001 activities. Some information has been provided for\nearlier and subsequent years because the RRB reports on a fiscal year basis, and some\ncontracts covered multiple years.\n\nTo accomplish the objective, the OIG:\n\n\xe2\x80\xa2  reviewed applicable laws and regulations;\n\xe2\x80\xa2  reviewed prior audit reports;\n\xe2\x80\xa2  submitted GAO\xe2\x80\x99s questionnaire to applicable RRB officials;\n\xe2\x80\xa2\t reviewed the RRB\xe2\x80\x99s controls over the disclosure of and access to SSN information\n   by third parties;\n\xe2\x80\xa2\t judgmentally selected and reviewed disclosures to three Federal agencies, three\n   state agencies, two researchers, two private contractors, a railroad, and six\n   insurance companies for compliance with the Privacy Act, as well as applicable\n   agreements between parties;\n\xe2\x80\xa2\t interviewed RRB personnel responsible for controlling SSN disclosure and access;\n   and\n\xe2\x80\xa2\t provided examples of additional steps that the agency can take to ensure that it has\n   adequate controls over the use and protection of SSNs.\n\nThe review was performed in accordance with generally accepted government auditing\nstandards appropriate for this type of review. The fieldwork was performed at the RRB\nheadquarters office in Chicago, Illinois from January through July 2002.\n\n                                  RESULTS OF REVIEW\n\n\nThe review showed that RRB controls over the access, disclosure and use of SSNs by\nthird parties are generally adequate but improvements can be made. The RRB made\nlegal and informed disclosures of SSNs to Federal and state agencies, contractors,\n\n\n\n                                             3\n\n\x0cinsurance companies, universities, researchers, and railroads through the\nadministration of the RRA and RUIA programs. Prior to disclosing SSN information, the\nRRB notified all individuals who applied for benefits that their SSNs may be disclosed.\n\nThe RRB also released SSNs of deceased beneficiaries to non-government entities and\nnon-contractors. The RRB\xe2\x80\x99s Privacy Act Officer stated that the Privacy Act does not\nprotect death information. Therefore, the RRB did not have any control issues in this\narea.\n\nThe RRB can strengthen some controls over contractors\xe2\x80\x99 access and use of SSNs and\ncontrols over access to SSNs maintained in the RRB\xe2\x80\x99s databases. The following\nsections of the report provide a detailed discussion of areas where improvements can\nbe made.\n\nSERVICES PROVIDED BY CONTRACTORS\n\nThe RRB has some controls over contractors\xe2\x80\x99 access and use of SSNs.\n\nFor example, the RRB included the Privacy Act Notification in contracts or referenced\n\nthe Privacy Act, conducted inspections of contractors\xe2\x80\x99 facilities, and addressed the\n\ndisposition of SSNs and other identifying information. However, controls can be\n\nstrengthened.\n\n\nThe RRB\xe2\x80\x99s Office of Administration and the Office of Programs indicated that they\n\nprovided information, including SSNs, to four private contractors who provide services\n\nfor RRB programs. We reviewed two contracts, Consultative Examinations, Ltd. (CEL)\n\nand Commercial Data Centers, Inc. (CDC), and determined that controls over the\n\naccess and use of SSNs could be improved.\n\n\nCEL provides medical opinions on approximately 8,000 RRB disability claims per year.\n\nThe contractor is responsible for the daily pick-up and return of case files from the RRB\n\nheadquarters and advisory medical opinions to the RRB headquarters within the time\n\nframes prescribed in the contract.\n\n\nThe contract provided that CEL would maintain a dedicated suite for only RRB work, the\n\nsuite would be locked at all times, and cabinets used to store files would be fireproof.\n\nCEL\xe2\x80\x99s technical proposal called for an inventory control system with an up-to-the-minute\n\nstatus report on each claim file.\n\n\nThe RRB\xe2\x80\x99s solicitation urged the agency to inspect the site at which services were to be\n\nperformed. In addition, the Federal Acquisition Regulation provided that the contracting\n\nofficer should insert a clause allowing on-site inspections.2 The clause states that to the\n\nextent required to carry out a program of inspection to safeguard against threats and\n\nhazards to the security, integrity, and confidentiality of government data, the contractor\n\nshall afford the government access to the contractor\xe2\x80\x99s facilities, operations,\n\ndocumentation, records and databases.\n\n2\n    Federal Acquisition Regulation 52.239.1- Privacy or Security Safeguards.\n\n\n                                                          4\n\n\x0cA previous OIG audit performed in 2001 indicated that CEL did not specify how the\ncontractor would comply with the Privacy Act and contract provisions regarding the\nprivacy, confidentiality, and safety of RRB case files. 3 These situations were corrected\nin calendar year 2001.\n\nThe OIG audit also disclosed that the RRB did not inspect the facility after the contract\nwas awarded in October 2000. Because the RRB did not inspect CEL\xe2\x80\x99s facility in 2001,\nthe RRB had no assurance that its sensitive documents were protected from\nunauthorized disclosure. The OIG recommended in its report that the RRB perform\nperiodic unannounced reviews of the contractor\xe2\x80\x99s facility.\n\nThe RRB performed the unannounced inspection of the CEL facility on March 27, 2002\nand found: (1) an unsecured dedicated suite, (2) loss of accountability of case files, and\n(3) case files stored in a non-fireproof cabinet. The contractor resolved all three issues.\nThe RRB indicated it would conduct periodic reviews of the contractor\xe2\x80\x99s facility during\ncalendar year 2002.\n\nThe RRB used the other private contractor, CDC, to produce and mass mail 717,823\nannual tax statements and approximately 300,000 service and compensation records to\nRRA beneficiaries in calendar year 2001.\n\nThe contract with CDC included appropriate security procedures for safeguarding SSNs\nincluding the Privacy Act Notification. The RRB visited the contractor\xe2\x80\x99s location to\ndetermine the accuracy and timeliness of the tax statements and to review storage\nlocations. The visitation included limited security checks related to document storage\nand the destruction of documents with printing errors. The inspection did not verify\nother procedures identified in CDC\xe2\x80\x99s Security Plan, such as access control, use of log\nsheets, issuance and control of magnetic cards, and password control. The RRB\xe2\x80\x99s\nvisitation did not cover the other CDC security procedures because the RRB\xe2\x80\x99s on-site\ninspection checklist provided for only limited inspection of security procedures. Without\nsufficiently inspecting or otherwise evaluating the adequacy of CDC\xe2\x80\x99s operations, the\nRRB cannot be assured that the contractor is safeguarding SSNs and other sensitive\ninformation.\n\nRecommendation\n\nThe Office of Programs should take steps to evaluate and ensure the adequacy of\nCDC\xe2\x80\x99s procedures for safeguarding SSNs and other sensitive information\n(Recommendation No. 1).\n\nManagement\xe2\x80\x99s Response\n\n\n\n3\n    Report No. 02-02, Review of the RRB\xe2\x80\x99s Contract with CEL for Medical Consulting Services, dated January 4,\n    2002.\n\n\n                                                        5\n\n\x0cThe Office of Programs concurs with this recommendation. The Office of Programs will\ntake steps to evaluate and ensure the adequacy of CDC\xe2\x80\x99s procedures for safeguarding\nSSNs and other sensitive information. These actions will be completed to coincide with\nthe next production run of the contract with CDC. A complete copy of the response is\nincluded as Attachment 1.\n\nACCESS TO SSNs MAINTAINED IN RRB DATABASES\n\nThe RRB has established some controls over access to SSNs maintained in its\ndatabases. For example, database users must be authorized by a systems\nadministrator, have a system password, and have access to system information only to\nthe extent needed to perform their jobs. However, controls can be strengthened.\n\nIn calendar year 2001, the OIG reviewed information security at the RRB pursuant to\nthe requirements of the Government Information Security Reform Act.4 The scope of\nthe review covered information system security at the RRB during May through\nSeptember 2001. The review disclosed weaknesses in most areas of the RRB\xe2\x80\x99s\ninformation security program. Significant deficiencies in program management and\naccess controls made the agency\xe2\x80\x99s information security program a material weakness in\ninternal control over financial reporting. The OIG made specific recommendations for\ncorrective action. The RRB indicated that they have implemented many of the\nrecommendations. The OIG, however, still considers the agency to have a material\nweakness related to information security due to inadequacies in access controls and\ntraining of key personnel.\n\nIn addition, three employees with the Centers for Medicare and Medicaid Services\n(CMS) had direct access to RRB databases, in calendar year 2001. RRB management\nidentified them as the only individuals, other than RRB employees, with direct access to\nRRB databases.\n\nThe RRB\xe2\x80\x99s Bureau of Information Services performs an annual security audit and\ndistributes the report to system owners. The owners then provide feedback on the\naccess needs of the individuals in the report. However, this report lists only RRB\nemployees with access to RRB computer systems.\n\nAppendix III to OMB Circular A-130 requires that Federal agencies implement and\nmaintain a program to ensure that adequate security is provided for all agency\ninformation collected, processed, transmitted, stored, or disseminated in general\nsupport systems and major applications.\n\nIf CMS employees were included on this list, the control could be effective in identifying\nCMS employees who have access to system features that they do not need for the\nperformance of their duties. Unneeded system access could allow unauthorized\ndisclosures of SSNs. During calendar year 2001, the RRB relied on CMS to notify the\nRRB when access needs change.\n4\n    Report No. 02-04, Review of Information Security at the Railroad Retirement Board, dated February 5, 2002.\n\n\n                                                          6\n\n\x0cRecommendation\n\nThe Bureau of Information Services should include non-RRB employees in future\nsecurity reports (Recommendation No. 2).\n\nManagement\xe2\x80\x99s Response\n\nThe Bureau of Information Services concurs with this recommendation. Non-RRB\nemployees who have access to RRB computer systems will be included in the annual\nsecurity audit. This will take effect October 1, 2002 for the two CMS employees.\n\n\n\n\n                                         7\n\n\x0c                                   REPORT TABLE\n\nObjective #1: To determine whether your agency makes legal and informed\ndisclosures of SSNs to third parties.\n\n\nA. Does the agency make legal and informed disclosures of SSNs to                YES\n   third parties? If yes, only answer B and then go to Objective 2. If no,\n   answer questions B, C, & D, as appropriate.\n\n\nB. Please provide an example or two of how your agency makes legal and\n   informed disclosures of SSNs to third parties.\n\nThe Railroad Retirement Board (RRB) provides information that discloses individuals\xe2\x80\x99\nSSNs to Federal and state agencies, contractors, insurance companies, universities,\nresearchers, and railroads through its administration of the Railroad Retirement Act and\nRailroad Unemployment Insurance Act.\n\n\xef\xbf\xbd The RRB has state wage matching agreements with all 50 states, the District of\n  Columbia and Puerto Rico. Under the agreements, the RRB provides the states\n  with the SSNs of RRB claimants and beneficiaries. The states return wage or\n  unemployment benefit information to the RRB. This information enables the RRB to\n  identify individuals receiving payments from non-railroad employers, or state\n  unemployment benefits, for days they also claim railroad unemployment or sickness\n  benefits. The matching agreements are also used to monitor the earnings of railroad\n  disability annuitants.\n\n\xef\xbf\xbd The RRB provides identifying information, including SSNs, to the Department of\n  Veterans Affairs. The RRB has the authority to release information to the\n  Department of Veterans Affairs to determine if claimants are eligible for veteran\n  benefits and if any previous veteran benefits were paid incorrectly.\n\n\xef\xbf\xbd The RRB also provides information, including individuals\xe2\x80\x99 SSNs to contractors. One\n  contractor, Consultative Examinations, Ltd. (CEL), provides medical opinions on\n  approximately 8,000 RRB disability claims per year. The contractor is responsible\n  for the daily pick-up of case files from the RRB headquarters and for the delivery of\n  case files and advisory medical opinions to the RRB headquarters within the time\n  frames prescribed in the contract.\n\n\n\n\n                                           8\n\n\x0cObjective #2: To determine whether your agency has appropriate controls over\ncontractor\xe2\x80\x99s access and use of SSNs.\n\n\n\nA. Does your agency use contractors? If yes, continue to question B. If               YES\n   no, go to Objective #3\n\n\nB. Does your agency have appropriate controls over contractors\xe2\x80\x99                        NO\n   access and use of SSNs? If yes, only answer C and go on to Objective\n   #3. If no, answer questions C, D, and E as appropriate.\n\n\nC. Please provide an example or two of how your agency has appropriate\n   controls over contractors\xe2\x80\x99 access and use of SSNs.\n\nWe reviewed two written contracts the RRB had in force during 2001: one with CEL,\nand the other with Commercial Data Centers, Inc. (CDC). CEL provides medical\nopinions on approximately 8,000 RRB disability claims per year. The contractor is\nresponsible for the daily pick-up of case files from the RRB headquarters and for the\ndelivery of case files and advisory medical opinions to the RRB headquarters. CDC\nissues RRB Tax Statements (Form 1099) to beneficiaries who received railroad\nretirement annuities during the tax year and Certificates of Service Months &\nCompensation (Form BA-6) to current railroad employees.\n\nOne contract states that the contractor will ensure the privacy, confidentiality, and safety\nof the physical and electronic case files while the files are in the possession of the\ncontractor. The other contract provides that information regarding any individual is of a\nconfidential nature and must be handled so that such information does not have any\nunauthorized use.\n\nIn addition, both contracts provide for the return of all individual information when it is no\nlonger needed.\n\n\n\n\n                                              9\n\n\x0cD. Briefly describe the specifics of how your agency fails to have adequate\n   controls over contractors\xe2\x80\x99 access and use of SSNs. For example, your agency\n   does not (1) have a MOU or written agreement that outlines how contractor\xe2\x80\x99s\n   should use and protect SSNs or (2) monitor contractors\xe2\x80\x99 access and use of\n   SSNs.\n\n\xef\xbf\xbd The RRB did not perform an on-site inspection of CEL\xe2\x80\x99s facility in calendar year\n  2001. The RRB did perform an unannounced inspection of CEL\xe2\x80\x99s facility on March\n  27, 2002 and found the following: (1) an unsecured dedicated suite, (2) loss of\n  accountability of case files, and (3) case files stored in a non-fireproof cabinet. The\n  contractor resolved all three issues and the RRB indicated it would conduct periodic\n  reviews of the contractor\xe2\x80\x99s facility during calendar year 2002.\n\n\xef\xbf\xbd The RRB visited the CDC\xe2\x80\x99s processing location to determine the accuracy and\n  timeliness of the tax statements and to review storage locations. The visitation\n  included limited security checks related to document storage and the destruction of\n  documents with printing errors. However, the inspection did not verify other\n  procedures identified in CDC\xe2\x80\x99s Security Plan, such as: access control, use of log\n  sheets, issuance and control of magnetic cards and password control.\n\n\nE. List specific steps (you identified) that your agency can take to ensure it has\n   adequate controls over access to SSNs maintained in its databases.\n\nThe Office of Programs should take steps to evaluate and ensure the adequacy of\nCDC\xe2\x80\x99s procedures for safeguarding SSNs and other sensitive information.\n\n\n\n\n                                           10\n\n\x0cObjective #3: To determine whether your agency has appropriate controls other\nentities\xe2\x80\x99 (non-government/non-contractor) access and use of SSNs.\n\n\n\nA. Does your agency grant other entities (non-government / non-                  YES\n   contractor) access and use of SSNs? If yes, continue to question B.\n   If no, go to Objective #4.\n\n\nB. Does your agency have appropriate controls over other entities\xe2\x80\x99               N/A\n   (non-government / non-contractor) access and use of SSNs? If yes,\n   only answer C and go on to Objective #4. If no, answer questions C, D,\n   and E as appropriate.\n\n\nC.\t Please provide an example or two of how your agency has appropriate\n    controls over other entities\xe2\x80\x99 (non-government / non-contractor) access and\n    use of SSNs.\n\nThe RRB disclosed claimant\xe2\x80\x99s identifying information to the following non-government /\nnon-contractor entities during calendar year 2001: Asset Quest, Union Pacific Railroad,\nand six insurance companies. All of the information provided related to deceased\nindividuals.\n\nRRB personnel contact the RRB\xe2\x80\x99s Privacy Act Officer and the Bureau of Law for\nguidance before releasing the information. Since the information disclosed related to\ndeceased individuals only, no controls are necessary. Death information is not\nprotected by the Privacy Act.\n\n\n\n\n                                          11\n\n\x0cObjective #4: To determine whether your agency has adequate controls over\naccess to individuals\xe2\x80\x99 SSNs maintained in its databases.\n\n\nA. Does your agency grant access to SSNs maintained in its\n   databases to individuals affiliated with other organizations? If yes,      YES\n   continue to question B. If no, you are finished.\n\nB. Does your agency have adequate controls over access to SSNs\n   maintained in its databases? If yes, only answer C. If no, answer          NO\n   questions C, D, and E as appropriate.\n\nC. Please provide an example or two of the controls your agency has over access\n   to SSNs maintained in its databases.\n\nRRB database users must be authorized by a system\xe2\x80\x99s administrator, must have a\nsystem\xe2\x80\x99s password, and can access system information only to the extent needed to\nperform their jobs.\n\n\n\n\n                                         12\n\n\x0cD. Briefly describe the specifics of how your agency fails to have adequate\n   controls over access to SSNs maintained in its databases. For example, your\n   agency does not have (1) a MOU or written agreement that outlines how\n   personnel from other organizations should safeguard SSNs or (2) system\n   controls to preclude unauthorized employees from gaining access to SSNs\n   maintained in its databases.\n\nIn calendar year 2001, the OIG reviewed information security at the RRB pursuant to\nthe requirements of the Government Information Security Reform Act.5 The Scope of\nthe review covered information system security at the RRB during May through\nSeptember 2001. The review disclosed weaknesses in most areas of the RRB\xe2\x80\x99s\ninformation security program. Significant deficiencies in program management and\naccess controls made the agency\xe2\x80\x99s information security program a material weakness in\ninternal control over financial reporting. The OIG made specific recommendations for\ncorrective action. The RRB indicated that they have implemented many of the\nrecommendations. The OIG, however, still considers the agency to have a material\nweakness related to information security due to inadequacies in access controls and\ntraining of key personnel.\n\nIn addition, three employees with the Centers for Medicare and Medicaid Services\n(CMS) had direct access to RRB databases in calendar year 2001. RRB management\nidentified them as the only individuals, other than RRB employees, with direct access to\nRRB databases.\n\nThe RRB\xe2\x80\x99s Bureau of Information Services performs an annual security audit and\ndistributes a report to system owners. The owners then provide feedback as to whether\nthe individuals in the report still need the access provided to them. However, the report\nlists only RRB employees with access to RRB computer systems.\n\nIf CMS employees were included in this report, the control could be effective in\nidentifying CMS employees who have access to system features that they do not need\nfor the performance of their duties. Unneeded system access could allow unauthorized\ndisclosures of SSNs . During calendar year 2001, the RRB relied on CMS to notify the\nRRB when access needs change.\n\nE. List specific steps (you identified) that your agency can take to ensure it has\n   adequate controls over access to SSNs maintained in its databases.\n\nThe RRB should include non-RRB employees in future security reports.\n\n\n\n\n5\n    Report No. 02-04, Review of Information Security at the Railroad Retirement Board, dated February 5, 2002.\n\n\n                                                         13\n\x0c\x0c\x0c'